https://bugs.winehq.org/show_bug.cgi?id=45391
Bug ID: 45391 Summary: winehq.org is distributing compiled LGPL code packages but withholding their sources Product: Packaging Version: unspecified Hardware: x86 OS: Linux Status: UNCONFIRMED Severity: major Priority: P2 Component: wine-packages Assignee: wine-bugs@winehq.org Reporter: forestcode@ixio.org CC: michael@fds-team.de, sebastian@fds-team.de Distribution: ---
The source code tarballs and package build scripts for winehq's ubuntu and debian packages are not published. They are not where they are supposed to be according to the official debian/ubuntu sources.list file (the deb-src entry that gets created when someone follows the official apt-add-repository instructions), they don't seem to be referenced anywhere else obvious, and nobody at the wine project has been forthcoming about how to get them. [1][2][3]
So, winehq.org is distributing binary packages without making their sources available. This makes it impossible for the people using those packages to audit the code, reproduce the packages, test patches on known-good packaged versions, or port them to different OS releases (the latter leading to issues like bug 45085).
From what I can tell, this is also likely an LGPL violation:
"4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code"
What will it take to remedy this situation?
[1] Notice the absence of an answer in this thread: https://www.winehq.org/pipermail/wine-devel/2018-May/127507.html [2] Nobody had an answer for me on the two occasions when I asked on #winehackers irc this week. [3] Nobody responded when I emailed the package maintainers listed at https://wiki.winehq.org/Download